diff options
Diffstat (limited to 'manifests/subsystems/firewall.pp')
| -rw-r--r-- | manifests/subsystems/firewall.pp | 239 |
1 files changed, 239 insertions, 0 deletions
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp new file mode 100644 index 0000000..765a59f --- /dev/null +++ b/manifests/subsystems/firewall.pp @@ -0,0 +1,239 @@ +# firewall definitions for physical servers +class firewall { + include shorewall + + $rfc1918 = $shorewall_dmz ? { + true => true, + false => false, + default => false, + } + + # + # Interfaces + # + shorewall::interface { 'eth0': + zone => '-', + rfc1918 => $rfc1918, + } + + # + # Policy + # + shorewall::policy { 'vm-net': + sourcezone => 'vm', + destinationzone => 'net', + policy => 'ACCEPT', + order => '1', + } + + shorewall::policy { 'fw-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + order => '2', + } + + shorewall::policy { 'fw-vm': + sourcezone => '$FW', + destinationzone => 'vm', + policy => 'ACCEPT', + order => '3', + } + + shorewall::policy { 'net-all': + sourcezone => 'net', + destinationzone => 'all', + policy => 'DROP', + order => '4', + } + + shorewall::policy { 'all-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'REJECT', + order => '5', + } + + # + # Hosts + # + shorewall::host { "eth0-subnet": + name => 'eth0:192.168.0.0/24', + zone => 'vm', + options => '', + order => '1', + } + + shorewall::host { "eth0": + name => 'eth0:0.0.0.0/0', + zone => 'net', + options => '', + order => '2', + } + + shorewall::masq { "eth0": + interface => 'eth0:!192.168.0.0/24', + source => '192.168.0.0/24', + order => '1', + } + + # + # Rules + # + shorewall::rule { 'ssh': + action => 'SSH/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '100', + } + + shorewall::rule { 'ping': + action => 'Ping/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '101', + } + + shorewall::rule { 'http': + action => 'HTTP/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '102', + } + + shorewall::rule { 'https': + action => 'HTTPS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '103', + } + + $munin_port = $node_munin_port ? { + '' => "4900", + default => "$node_munin_port", + } + + shorewall::rule { "munin": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "$munin_port", + ratelimit => '-', + order => "104", + } + + # + # Zones + # + shorewall::zone { 'vm': + type => 'ipv4', + order => '2', + } + + shorewall::zone { 'net': + type => 'ipv4', + order => '3', + } + + # + # Traffic shapping + # + $in_bandwidth = $max_in_bandwidth ? { + '' => "2mbit", + default => "$max_in_bandwidth", + } + + $out_bandwidth = $max_out_bandwidth ? { + '' => "2mbit", + default => "$max_out_bandwidth", + } + + shorewall::tcdevices { "eth0": + in_bandwidth => "$in_bandwidth", + out_bandwidth => "$out_bandwidth", + } + + shorewall::tcrules { "ssh-tcp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "tcp", + ports => "22", + } + + shorewall::tcrules { "ssh-udp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "udp", + ports => "22", + } + + shorewall::tcclasses { "ssh": + order => "1", + interface => "eth0", + rate => "4*full/100", + ceil => "full", + priority => "1", + } + + shorewall::tcclasses { "default": + order => "2", + interface => "eth0", + rate => "6*full/100", + ceil => "full", + priority => "2", + options => "default", + } + + # + # DMZ Configuration + # + if $shorewall_dmz { + shorewall::host { "eth0-dmz": + name => 'eth0:192.168.1.0/24', + zone => 'dmz', + options => '', + order => '3', + } + + shorewall::policy { 'dmz-all': + sourcezone => 'dmz', + destinationzone => 'all', + policy => 'ACCEPT', + order => '6', + } + + shorewall::policy { 'vm-dmz': + sourcezone => 'vm', + destinationzone => 'dmz', + policy => 'ACCEPT', + order => '7', + } + + shorewall::policy { 'fw-dmz': + sourcezone => '$FW', + destinationzone => 'dmz', + policy => 'ACCEPT', + order => '8', + } + + shorewall::zone { 'dmz': + type => 'ipv4', + order => '4', + } + } +} |